From owner-freebsd-pf@FreeBSD.ORG Mon Jul 6 06:20:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 612CB106564A for ; Mon, 6 Jul 2009 06:20:59 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from infoweapons.com (mail0.infoweapons.org [204.2.248.50]) by mx1.freebsd.org (Postfix) with ESMTP id 0A1A98FC19 for ; Mon, 6 Jul 2009 06:20:58 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ([58.71.34.146]) by mail0.infoweapons.com with ESMTP id 4321444.4046491; Mon, 06 Jul 2009 02:05:32 -0400 Received: from [10.3.1.41] ([10.3.1.41]) by cebexch01.cebu.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 6 Jul 2009 14:05:32 +0800 Message-ID: <4A5190C1.2060205@infoweapons.com> Date: Mon, 06 Jul 2009 13:50:57 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: tt-list@simplenet.com References: <4A4D2010.4020908@simplenet.com> <4A4F0950.7020005@simplenet.com> <4A518B6B.1010407@simplenet.com> <4A518F07.1070209@simplenet.com> In-Reply-To: <4A518F07.1070209@simplenet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Jul 2009 06:05:32.0203 (UTC) FILETIME=[C51957B0:01C9FDFF] Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 06:20:59 -0000 Tim Traver wrote: > > > Chris Buechler wrote: >> On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver wrote: >> >>> Thanks for responding. I am indeed testing this from within the same >>> machine, as I need the redirection to take place when attempting to >>> make >>> requests FROM the machine to an outside source. >>> >>> Is there not a way to do that with pf ??? >>> >>> >> >> There are multiple options, see: >> http://www.openbsd.org/faq/pf/rdr.html >> > > Chris, > > yes, that is where I originally got all of the information, and made > my original post with my redirection line in the pf.conf that does not > appear to be doing anything. I couldn't figure out why, hence the post > here. > > Here is a copy of the original post if you think you might have any > insight... > > Hi all, > > ok, I'm a little new to messing around with pf, but have come up for a > need that it sounds like it should be able to solve. > > I want to be able to redirect outgoing http requests from the box back > to local addresses on the box... > > In reading up, it appears that the redirect config line should do > that, and in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> > [internal address here] port 80 > > now, I haven't made that internal address be an address on the local > box yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no > problems and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 > and get the apache greeting that is expected... > > I did turn on port forwarding as per the instructions for NAT, > although it didn't say if it was needed for rdr. > > net.inet.ip.forwarding=1 > > in netstat, I see it trying to actually reach the ouside IP, which it > cant, so the translation didn't appear to take affect... > > am I missing something ? > Yes, I believe so. rdr works only for incoming traffic. To redirect outgoing traffic locally you need to re-route the traffic using the route-to option. Try these rules. -- rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 -> port 80 pass out log quick on lo0 no state pass in log quick on lo0 no state pass out quick on route-to (lo0 ) inet proto tcp from any to 209.131.36.158 port 80 keep state -- > Thanks, > > Tim. > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"